These are my reading notes for Code Fellows
The client exchanges this temporary code for an access token. (source)
These represent the authorization of a some app to access certain pieces of a user’s data (a password, for example). (source)
Super secure, widely used, and most people have one of the log in methods already.
The client_id is a public identifier for apps. Even though it’s public, it’s best that it isn’t guessable by third parties, so many implementations use something like a 32-character hex string. (source)
A client secret is a secret known only to your application and the authorization server. (source)
Endpoint authentication is a security mechanism designed to ensure that only authorized devices can connect to a given network, site or service. (source)
The /oauth/token endpoint is used by the application in order to get an access token or a refresh token. (source)
In simple terms, an API endpoint is the point of entry in a communication channel when two systems are interacting. It refers to touchpoints of the communication between an API and a server. The endpoint can be viewed as the means from which the API can access the resources they need from a server to perform their task. An API endpoint is basically a fancy word for a URL of a server or service. (source)
After the user returns to the application via the redirect URL, the application will get the authorization code from the URL and use it to request an access token. This request will be made to the token endpoint. (source)
Access tokens are used in token-based authentication to allow an application to access an API. The application receives an access token after a user successfully authenticates and authorizes access, then passes the access token as a credential when it calls the target API. The passed token informs the API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization. (source)